Switch Shield Support (DDoS Protection using Switch Capabilities)
05/06/2020
0 People found this article helpful
189,677 Views
Description
This feature provides protection from a Denial of Service attacks that make the firewall too busy to provide service. This feature was introduced in the 6.5.3.1 feature release and available on all versions post that.
NOTE: This feature is supported on NSA 3600 through NSA 6600, NSa series, and SuperMassive series platforms. For the NSA 6600 and other platforms that do not have ports connected through the Broadcom switch (directly connected ports), this feature applies only to ports that are connected through the Broadcom switch (indirectly connected ports).
Resolution
To enable Switch Shield protection:
- Navigate to MANAGE I System Setup | Switching | Switch Shield.

- Select the Switch Shield options to be enabled. To protect against:
- IP packets in which the source IP equals the destination IP, select SIP = DIP for IPv4/IPv6 packets
- TCP Syn fragmented packets, select TCP Syn Frag Packets
- TCP packets without control flags or sequence, select TCP packets with control flags = 0 and sequence number = 0
- TCP packets with FIN, URG, and PSH bits enabled and the sequence number equal to 0, select TCP packets with FIN, URG, and PSH bits set and sequence number = 0
- TCP packets with SYN and FIN bits enabled, select TCP packets with SYN and FIN bits are set
- TCP packets with the source port equal to the destination port, select TCP Source Port = TCP Destination Port
- TCP packets with a partial (< 20 bytes) header, select First TCP fragment does not have the full TCP header (less than 20 bytes)
- TCP header offset equal to 1, select TCP header has fragment offset value as 1
- UDP packets with the source Port equal to the destination port, select UDP Source Port number = UDP Destination Port number
- Fragmented ICMP packets, select Fragmented ICMP packets
- Packets in which the source MAC address equals the destination MAC address, enable MAC SA == MAC DA
- IPv4 first fragment, select IP first Fragment Check
- Oversized or big ICMP packets, specify the maximum packet size in the:
- Large ICMPv4 packet size field
- Large ICMPv6 packet size field
- Invalid TCP headers, specify the minimum header size in the Minimum TCP header size field
- Small IPv6 fragments, enter the minimum fragment size in the IPv6 minimum fragment size field
3. Click ACCEPT.
TIP:
(SIP = Source IP address, DIP = Destination IP address, SA = Source address, DA = Destination address).
Related Articles
Categories
Was This Article Helpful?
YES
NO